I am doing a quick start on a dedicated host… and can find the jwt file for the edge router… but I cannot find the one for the controller?
Does this make any sense?
I am just hacking my way around… trying to break it at every step 
Right now the controller is “the first source of trust”. When you run the expressInstall script it will issue numerous ziti cli calls, some of which will be to ziti pki. These commands are establishing your PKI - and thus are establishing the root of your trust.
Because the controller is the root of the trust and this PKI is made when you’re making a controller - there is no ‘jwt’ for the controller.
If you crack open the config file, the ziti-cli-functions script, and watch the ziti tv on configurations you’ll be able to explore your way through the settings and through the ziti cli commands that made the pki
1 Like
Thanks…
PS… I have also confirmed you need those ports open before you can enrol a jwt file.
This may take me longer to get to the next step… but I am starting to see how it all works now… interesting
failed to parse JWT: could not retrieve token URL certificate: could not contact remote server [https://instance-20220317-1005:1280]: Get “https://instance-20220317-1005:1280”: dial tcp 10.0.0.41:1280: connect: connection refused
PS… is there a reason why the ports need to be open to enrol a jwt file…
I was thinking of leaving the ports closed right till the end… but there is obviously a reason why they are needed early on in the process.
Just curious…
Ahh… is it because the enrolment is done by the controller … and that you need to send the jwt file to the controllers listener on that specific port…
I can see why now if that is the case
Time to do a clean install…
Correct. The act of "enrollment" requires you to make a CSR and send it to the controller. That will be over whatever port your controller listens for api calls on. You could choose to make it :443 if you like since that's a very common port. In the NetFoundry console - they use port 443 for the api and port 80 for data (not 1280/6262 respectively)
1 Like
really long, detailed, and excellent blog post on this topic is a five part series here: Bootstrapping Trust | Ziti
1 Like
got it.. starting to connect the dots.
PS.. what does CSR mean.. not heard of that before
Well… I am getting closer to starting to understand it… when I first started… I had to have a break every 30 mins… now its up to about 2 hours… so I must be learning something
episode 4 of bootstrapping trust
1 Like
Also - it’s a “certificate signing request” … tons of source on the internet for that SSL Basics: What is a Certificate Signing Request (CSR)?
1 Like
Got it… Certificate Signing Requests
I have a background in sustainability and was thinking corporate social responsibility… and got totally confused.